Analysis
-
max time kernel
151s -
max time network
169s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:25
Static task
static1
Behavioral task
behavioral1
Sample
0a270f56cab4abf0e828a21a8da34f37e10a7f17c6d32a1344f1219d1bacc9c1.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0a270f56cab4abf0e828a21a8da34f37e10a7f17c6d32a1344f1219d1bacc9c1.exe
Resource
win10v2004-en-20220113
General
-
Target
0a270f56cab4abf0e828a21a8da34f37e10a7f17c6d32a1344f1219d1bacc9c1.exe
-
Size
36KB
-
MD5
dc7f4d7a276fde3aecb0c3995f694a73
-
SHA1
aeee2439fc0ca222378074fd475d670c9c507c95
-
SHA256
0a270f56cab4abf0e828a21a8da34f37e10a7f17c6d32a1344f1219d1bacc9c1
-
SHA512
275cd3183613410cf2dc28571cce1561169729a9007b02e3fb29e7ac06d1621d60fab7d2141edd60361094b4f3ff275592a6cc22212388442f86bb71125fe920
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1928 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1996 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0a270f56cab4abf0e828a21a8da34f37e10a7f17c6d32a1344f1219d1bacc9c1.exepid process 288 0a270f56cab4abf0e828a21a8da34f37e10a7f17c6d32a1344f1219d1bacc9c1.exe 288 0a270f56cab4abf0e828a21a8da34f37e10a7f17c6d32a1344f1219d1bacc9c1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0a270f56cab4abf0e828a21a8da34f37e10a7f17c6d32a1344f1219d1bacc9c1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0a270f56cab4abf0e828a21a8da34f37e10a7f17c6d32a1344f1219d1bacc9c1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0a270f56cab4abf0e828a21a8da34f37e10a7f17c6d32a1344f1219d1bacc9c1.exedescription pid process Token: SeIncBasePriorityPrivilege 288 0a270f56cab4abf0e828a21a8da34f37e10a7f17c6d32a1344f1219d1bacc9c1.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0a270f56cab4abf0e828a21a8da34f37e10a7f17c6d32a1344f1219d1bacc9c1.execmd.exedescription pid process target process PID 288 wrote to memory of 1928 288 0a270f56cab4abf0e828a21a8da34f37e10a7f17c6d32a1344f1219d1bacc9c1.exe MediaCenter.exe PID 288 wrote to memory of 1928 288 0a270f56cab4abf0e828a21a8da34f37e10a7f17c6d32a1344f1219d1bacc9c1.exe MediaCenter.exe PID 288 wrote to memory of 1928 288 0a270f56cab4abf0e828a21a8da34f37e10a7f17c6d32a1344f1219d1bacc9c1.exe MediaCenter.exe PID 288 wrote to memory of 1928 288 0a270f56cab4abf0e828a21a8da34f37e10a7f17c6d32a1344f1219d1bacc9c1.exe MediaCenter.exe PID 288 wrote to memory of 1996 288 0a270f56cab4abf0e828a21a8da34f37e10a7f17c6d32a1344f1219d1bacc9c1.exe cmd.exe PID 288 wrote to memory of 1996 288 0a270f56cab4abf0e828a21a8da34f37e10a7f17c6d32a1344f1219d1bacc9c1.exe cmd.exe PID 288 wrote to memory of 1996 288 0a270f56cab4abf0e828a21a8da34f37e10a7f17c6d32a1344f1219d1bacc9c1.exe cmd.exe PID 288 wrote to memory of 1996 288 0a270f56cab4abf0e828a21a8da34f37e10a7f17c6d32a1344f1219d1bacc9c1.exe cmd.exe PID 1996 wrote to memory of 1812 1996 cmd.exe PING.EXE PID 1996 wrote to memory of 1812 1996 cmd.exe PING.EXE PID 1996 wrote to memory of 1812 1996 cmd.exe PING.EXE PID 1996 wrote to memory of 1812 1996 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a270f56cab4abf0e828a21a8da34f37e10a7f17c6d32a1344f1219d1bacc9c1.exe"C:\Users\Admin\AppData\Local\Temp\0a270f56cab4abf0e828a21a8da34f37e10a7f17c6d32a1344f1219d1bacc9c1.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:288 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0a270f56cab4abf0e828a21a8da34f37e10a7f17c6d32a1344f1219d1bacc9c1.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1812
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
4d7ba0acad7fb6924a18801cdc9af5a4
SHA1d228c91b54bb6f1f0bdf2d9a350f91f48b479924
SHA256c16a1053bb5b261dd2d6a003ae13ac374bd1dcaa74a3feb3f6b246d3e8f178c3
SHA5122f8885db1ae4830987aeea6259fb650856dfd6e31e3752124c0f814a281b1d93f24c872345798ec5a697bb1bd2c336d227d9949d3edcf618cb7366935cbbace6
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
4d7ba0acad7fb6924a18801cdc9af5a4
SHA1d228c91b54bb6f1f0bdf2d9a350f91f48b479924
SHA256c16a1053bb5b261dd2d6a003ae13ac374bd1dcaa74a3feb3f6b246d3e8f178c3
SHA5122f8885db1ae4830987aeea6259fb650856dfd6e31e3752124c0f814a281b1d93f24c872345798ec5a697bb1bd2c336d227d9949d3edcf618cb7366935cbbace6
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
4d7ba0acad7fb6924a18801cdc9af5a4
SHA1d228c91b54bb6f1f0bdf2d9a350f91f48b479924
SHA256c16a1053bb5b261dd2d6a003ae13ac374bd1dcaa74a3feb3f6b246d3e8f178c3
SHA5122f8885db1ae4830987aeea6259fb650856dfd6e31e3752124c0f814a281b1d93f24c872345798ec5a697bb1bd2c336d227d9949d3edcf618cb7366935cbbace6
-
memory/288-54-0x0000000076041000-0x0000000076043000-memory.dmpFilesize
8KB